Re: Iceweasel and web browsers vulnerabilty concerning poodle.

[Brad Cable <brad@bcable.net>]

I would like to point out what security.tls.version.min actually does:

http://kb.mozillazine.org/Security.tls.version.*

Setting security.tls.version.min to 1 allows TLSv1.0 to be used, which is vulnerable to a similar padding oracle attack (and timing oracle attacks) found long ago.  You should be using a value of 2 for this setting.

-Brad

On 10/16/2014 10:28 AM, Marco Galicia wrote:

Hi,

As I know, a new vulnerability called poodle has been discovered regadirng https. This vulnerabilty takes advantage of the ssl 3.0, and forcecs the https protocol to use this outdated protocol.

I have been told that a fix for this vulnerabilty is to disable the use of this protocol in the web browsers.

In inceweasel:

change this option in about:config

security.tls.version.min

to 1

shoulnd't iceweasel be recompiled to include this option in the complilation settings??

Can it be done officially in debian??

Can this be done also for other web browsers??

If if is not possible to do ti officially??

How can i do it?? What would be the compilation parameter, something like " /.config  --security.tls-version.min.1??

I have obtained the info from this webiste.

http://www.dmdcosillas.org/2014/10/que-demonios-no-hay-dos-sin-tres/  (in spanish)

--

Por favor, evite enviarme documentos adjuntos en formato Word Excel o PowerPoint.
Como alternativa puede enviarme documentos en formato odt, odx u ods, además de documentos en formato pdf
Si realmente es necesario enviarme un documento en formato Word, por favor utilize el formato .doc en lugar de .docx

Vea http://www.gnu.org/philosophy/no-word-attachments.html
http://es.libreoffice.org/
http://getgnulinux.org/es